GDPR has been in force since May 2018 and regulators have issued over €4.5 billion in fines since then. But despite all the attention, many small businesses still aren’t compliant — often because GDPR guidance is written in legalese that’s hard to translate into practical action. This guide gives you the specific steps a small business needs to take, without the lawyer-speak.
Does GDPR Apply to You?
GDPR applies if you process personal data of people in the EU/EEA — regardless of where your business is located. If you have EU customers, GDPR applies to you.
# Personal data includes:
# - Name + email address
# - IP addresses
# - Cookie identifiers
# - Location data
# - Health information
# - Financial data
# You are a "Data Controller" if you decide what data to collect and why
# You are a "Data Processor" if you process data on behalf of a controller
# Most businesses are bothThe 7 GDPR Principles (Plain English)
# 1. Lawfulness, fairness, transparency
# Have a legal basis for processing, be honest about what you do
# 2. Purpose limitation
# Collect data for specific purposes, don't use it for other things
# Example: Email collected for order confirmations cannot be used for marketing
# without separate consent
# 3. Data minimisation
# Only collect data you actually need
# If you do not need date of birth, do not ask for it
# 4. Accuracy
# Keep data up to date, let users correct it
# 5. Storage limitation
# Delete data when you no longer need it
# Define and enforce retention periods
# 6. Integrity and confidentiality
# Protect data with appropriate security measures
# 7. Accountability
# Be able to demonstrate compliance (documentation!)Legal Bases for Processing
# You MUST have a legal basis for processing personal data:
# 1. Consent - User explicitly agrees (most common for marketing)
# Requirements for valid consent:
# - Freely given (no pre-ticked boxes!)
# - Specific to each purpose
# - Informed (clear language)
# - Unambiguous (clear opt-in action)
# - Withdrawable at any time
# 2. Contract - Processing necessary for a contract
# Example: Storing customer address to fulfil an order
# 3. Legal obligation
# Example: Tax records required by law
# 4. Legitimate interests
# Example: Fraud prevention, network security monitoring
# Must be balanced against individual rights
# Most small businesses use:
# - Contract (for customers)
# - Consent (for marketing)
# - Legal obligation (for accounting records)Practical Compliance Checklist
# STEP 1: Data Mapping (Record of Processing Activities)
# Document everything you know about the data you process:
# - What data do you collect? (name, email, IP, payment info)
# - Why? (legal basis)
# - From whom? (customers, employees, website visitors)
# - Who has access? (staff, third-party processors)
# - How long do you keep it? (retention period)
# - Where is it stored? (country/region matters for transfers)
# Template available from your national DPA website
# STEP 2: Privacy Notice Update
# Your website privacy notice must include:
# - Identity and contact details of data controller
# - What data you collect
# - Legal basis for processing
# - How long you retain data
# - Data subject rights (access, deletion, portability)
# - How to complain to the supervisory authority
# STEP 3: Cookie Consent
# If you use cookies beyond "strictly necessary":
# Must obtain consent BEFORE setting non-essential cookies
# Consent must be: specific, informed, unambiguous
# Reject all option must be as easy as Accept all
# STEP 4: Data Subject Rights Process
# Must respond to requests within 30 days:
# Right of Access: provide copy of all data held
# Right to Erasure: delete data ("right to be forgotten")
# Right to Portability: provide data in machine-readable format
# Right to Object: stop processing for marketing
# STEP 5: Data Processor Agreements
# Any third party that processes data on your behalf needs a DPA:
# Your email provider (Mailchimp, Sendgrid)
# Your cloud host (AWS, Google Cloud)
# Your CRM (Salesforce, HubSpot)
# Most major providers have standard DPA agreements on their websitesBreach Notification
# If you suffer a personal data breach:
# Timeline requirements:
# 72 hours: Notify your national DPA (if breach is high-risk)
# Without undue delay: Notify affected individuals (if high risk to their rights)
# What counts as a breach?
# - Unauthorized access to customer database
# - Lost laptop with unencrypted customer data
# - Accidental email with customer data to wrong person
# Breach response checklist:
# 1. Contain: Stop the breach from continuing
# 2. Assess: What data, how many people, what risk?
# 3. Notify DPA within 72 hours if required
# 4. Notify individuals if high risk
# 5. Document: Even breaches you do not need to report must be documented
# 6. Review: What went wrong, what changes are needed?Technical Measures
# GDPR requires "appropriate technical measures" to protect data:
# For most small businesses this means:
# Encryption at rest:
# - Database encryption (PostgreSQL: pg_encrypt, MySQL: AES_ENCRYPT)
# - Full disk encryption on servers and laptops (BitLocker, FileVault)
# Encryption in transit:
# - HTTPS everywhere (Let's Encrypt provides free TLS certificates)
# - TLS 1.2+ only (disable older versions)
# Access control:
# - Minimum access necessary (RBAC)
# - Staff only see data relevant to their role
# - Customer service reps should not have raw database access
# Audit logging:
# Log who accessed what data and when
# Keep logs for at least 6 months
# Regular security assessments:
# Annual penetration test or vulnerability scan
# Documented in your Record of Processing ActivitiesWrap Up
GDPR compliance is not a one-time project — it’s an ongoing program. Start with a data map, update your privacy notice, implement proper cookie consent, and establish a process for handling subject access requests. Document everything. Regulators care about demonstrable accountability as much as technical compliance.